Since I seem to be getting nowhere on my initial approach, I am going to change tactics.
I am attempting to follow:
I can get almost all the steps to work properly.
I am confused on where to insert the shown xml into the .../configuration/standalone.xml
file.
Any help would be greatly appreciated.
I think if I can get this xml snippet into .../configuration/standalone.xml, then I will
have a running wildfly instance
utilizing ssl. But everywhere I think to add the snippet results in wildfly startup
saying there's a syntax error in
the configuration.
Thanks.
On Thu, 2022-07-14 at 16:03 -0500, John W. Himpel wrote:
On Wed, 2022-07-13 at 15:38 -0500, John W. Himpel wrote:
> I am trying to follow Farah Juma's Blog entry found at
>
https://developer.jboss.org/people/fjuma/blog/2018/08/31/obtaining-certif...
> to configure wildfly to obtain a "Let's Encrypt" certificate for use
by wildfly (Version 26).
>
> I have installed a new wildfly instance in /opt/wildfly/wf26. It starts
successfully using systemd.
>
> I execute the jboss-cli command shown under the heading "Prerequisite
configuration" using the following command:
>
> /opt/wildfly/wf26/bin/jboss-cli.sh --connect
> batch --file=/home/jwhimpel/prerequisite.cli
> run-batch
>
> jboss-cli.sh responds with "The batch executed successfully".
>
> In /opt/wildfly/wf26/standalone/log/server.log, I see:
> 2022-07-13 20:06:30,849 WARN [org.wildfly.extension.elytron] (MSC service thread
1-2) WFLYELY00023: KeyStore file
> '/opt/wildfly/wf26/standalone/configuration/server.keystore.jks' does not
exist. Used blank.
>
> I'm assuming this is a harmless warning.
>
> I execute the jboss-cli command shown under the heading "One-time
configuration" using the following command:
>
> /opt/wildfly/wf26/bin/jboss-cli.sh --connect
> batch --file=/home/jwhimpel/configure_account.cli
> run-batch
>
> jboss-cli.sh responds with "The batch executed successfully"
>
> In /opt/wildfly/wf26/standalone/log/server.log, I see:
> 2022-07-13 20:07:12,878 WARN [org.wildfly.extension.elytron] (MSC service thread
1-3) WFLYELY00023: KeyStore file
> '/opt/wildfly/wf26/standalone/configuration/accounts.keystore.jks' does not
exist. Used blank.
>
> Again, I'm assuming this is a harmless warning. However, an
accounts.keystore.jks file now appears under
> /opt/wildfly/wf26/standalone/configuration/.
>
>
> I execute the jboss-cli command shown under the heading "Obtain a certificate
from Let's Encrypt using the following
> command:
>
> /opt/wildfly/wf26/bin/jblss-cli.sh --connect
> batch --file=/home/jwhimpel/obtain_certificate.cli
> run-batch
>
> jboss-cli.sh responds with: The batch failed with the following error (you are
remaining in the b
> atch editing mode to have a chance to correct the error):
> WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
> Step: step-1
> Operation: /subsystem=elytron/key-store=serverKS:obtain-certificate(alias=server
> ,domain-names=[testWildfly.jlhimpel.net],certificate-authority-account=myLetsEnc
> ryptAccount,agree-to-terms-of-service)
> Failure: ELY10048: Challenge response failed validation by the ACME server
>
>
>
> In /opt/wildfly/wf26/standalone/log/server.log, I see:
> 2022-07-13 20:25:48,624 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 2)
> WFLYCTL0013: Operation ("obtain-certificate") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "serverKS")
> ]) - failure description: "ELY10048: Challenge response failed validation by
the ACME server"
>
> File prerequisite.cli:
> /subsystem=elytron/key-store=serverKS:add(path=server.keystore.jks,
relative-to=jboss.server.config.dir, credential-
> reference={clear-text=secret}, type=JKS)
>
> File configure_account.cli:
> /subsystem=elytron/key-store=accountsKS:add(path=accounts.keystore.jks,relative-
> to=jboss.server.config.dir,credential-
> reference={clear-text=secret},type=JKS)
>
/subsystem=elytron/certificate-authority-account=myLetsEncryptAccount:add(alias=letsEncrypt,key-
> store=accountsKS,contact-urls=[mailto:john@jlhimpel.net])
>
> File obtain_certificate.cli:
> /subsystem=elytron/key-store=serverKS:obtain-certificate(alias=server,domain-
>
names=[testWildfly.jlhimpel.net],certificate-authority-account=myLetsEncryptAccount,agree-to-terms-of-service)
>
> firewall-cmd --list-all shows:
> Server (active)
> target: default
> icmp-block-inversion: no
> interfaces: enp1s0 localhost
> sources:
> services: cockpit http https mountd nfs rpc-bind ssh
> ports: 9990/tcp 9993/tcp 8080/tcp 8443/tcp 19990/tcp 19993/tcp
> protocols:
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> At this point, I am stumped as to what I might have done wrong. Any suggestions
would be greatly appreciated.
>
> John
I discovered that my router was pointing inbound port 80 and 443 to another server. I
corrected the router settings
and
reran the failing command.
I got the following on the console:
The batch failed with the following error (you are remaining in the batch editing mode to
have a chance to correct the
error):
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-1
Operation: /subsystem=elytron/key-store=serverKS:obtain-certificate(alias=server
,domain-names=[testWildfly.jlhimpel.net],certificate-authority-account=myLetsEnc
ryptAccount,agree-to-terms-of-service)
Failure: ELY10048: Challenge response failed validation by the ACME server
I got the following in the server.log:
2022-07-14 20:55:12,431 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 6)
WFLYCTL0013: Operation ("obtain-certificate") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "serverKS")
]) - failure description: "ELY10048: Challenge response failed validation by the
ACME server"
I see nothing in the journal log. I see nothing in the audit log.
I performed "certbot certificates" and there is no certificate listed for
testwildfly.jlhimpel.net.
If I look at
https://crt.sh, I see two certificates for
testwildfly.jlhimpel.net with
expiration dates in June of
2022.
I am at a loss for ideas or places to look.
John
_______________________________________________
server mailing list -- server(a)lists.fedoraproject.org
To unsubscribe send an email to server-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure